194538 2019-02-12 06:43:36 -0800 Crash in WebCore::ScrollingTree::updateTreeFromStateNode 2019-05-08 07:22:10 -0700 1 1 1 Unclassified WebKit Scrolling WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 koivisto webkit-unassigned ajuma cmarcelo commit-queue ews-watchlist fred.wang ggaren jamesr justincohen justincohen luiz simon.fraser tonikitoo zalan oldest_to_newest 1505211 0 koivisto 2019-02-12 06:43:36 -0800 3 libsystem_c.dylib: abort 3 libc++abi.dylib: abort_message 3 libc++abi.dylib: __cxa_pure_virtual ==> 3 WebCore: WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) <== 3 WebCore: WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) pruning: 2 WebCore: WebCore::ScrollingTree::commitTreeState(std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree> >) pruning: 1 WebCore: WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) 1505212 1 koivisto 2019-02-12 06:44:08 -0800 <rdar://problem/47841926> 1505214 2 361794 koivisto 2019-02-12 06:55:42 -0800 Created attachment 361794 patch 1505223 3 361794 commit-queue 2019-02-12 08:22:24 -0800 Comment on attachment 361794 patch Clearing flags on attachment: 361794 Committed r241296: <https://trac.webkit.org/changeset/241296> 1505224 4 commit-queue 2019-02-12 08:22:26 -0800 All reviewed patches have been landed. Closing bug. 1533908 5 justincohen 2019-05-07 07:34:10 -0700 Chrome for iOS is seeing a big increase in this crash on 12.2. And while volume is low, we also see it on 12.3 For example: 0x000000019ae7d0dc (libsystem_kernel.dylib + 0x000230dc ) __pthread_kill 0x000000019aef6090 (libsystem_pthread.dylib + 0x00002090 ) pthread_kill$VARIANT$mp 0x000000019add6ea4 (libsystem_c.dylib + 0x0005aea4 ) abort 0x000000019a4a3784 (libc++abi.dylib + 0x00001784 ) abort_message 0x000000019a4b0a3c (libc++abi.dylib + 0x0000ea3c ) __cxa_pure_virtual 0x00000001a4cd68d4 (WebCore + 0x011da8d4 ) WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) 0x00000001a4cd69bc (WebCore + 0x011da9bc ) WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) 0x00000001a4cd636c (WebCore + 0x011da36c ) WebCore::ScrollingTree::commitTreeState(std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree> >) 0x00000001aaa080cc (WebKit + 0x002a50cc ) WebKit::RemoteScrollingCoordinatorProxy::commitScrollingTreeState(WebKit::RemoteScrollingCoordinatorTransaction const&, WebKit::RemoteScrollingCoordinatorProxy::RequestedScrollInfo&) 0x00000001aa9115d0 (WebKit + 0x001ae5d0 ) WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&) 0x00000001aa7b915c (WebKit + 0x0005615c ) void IPC::handleMessage<Messages::RemoteLayerTreeDrawingAreaProxy::CommitLayerTree, WebKit::RemoteLayerTreeDrawingAreaProxy, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)>(IPC::Decoder&, WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)) 0x00000001aa79ceac (WebKit + 0x00039eac ) IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 0x00000001aa95a31c (WebKit + 0x001f731c ) WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x00000001aa78da1c (WebKit + 0x0002aa1c ) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 0x00000001aa79050c (WebKit + 0x0002d50c ) IPC::Connection::dispatchIncomingMessages() 1534090 6 simon.fraser 2019-05-07 13:35:27 -0700 Any information you can gather about reproducibility would help in the diagnosis. 1534303 7 ajuma 2019-05-08 07:22:10 -0700 (In reply to Simon Fraser (smfr) from comment #6) > Any information you can gather about reproducibility would help in the > diagnosis. We don't have specific repro steps, but we know that users that have our new session restoration logic enabled are running into this crash at a rate that's 30 times higher than other users, and are crashing much earlier -- the median process uptime when this particular crash occurs is about 16 seconds for those users, compared to 4.3 minutes for other users. This new session restoration logic works by loading a sequence of file URLs that each return a page that can redirect to the actual site the user visited. So as the user navigates back/forward, we'd first visit that file URL, then get a redirect, and then load the actual URL. (We have to restore sessions in this weird way in order to workaround bug 169618.) This approach has the side effect of adding process swaps. So suppose the user's actual history is: a) www.google.com/search?q=cats b) www.google.com/search?q=dogs c) www.google.com/search?q=mice And say that at startup, we restore this history and the user is now at (c). At this point, if the user taps on the back button, we'd first load our file URL that then redirects to (b). So ordinarily on a navigation from (c) to (b) there wouldn't be a process swap and we'd continue committing to the same ScrollTree, but with this change we swap to a different process for the file URL and then back to the original process after the redirect. And this time, when we continue in the original process, we're committing to a new scroll tree. So my guess is that somehow we're winding up with a parent-less ScrollTreeNode at the end of all this. (And afaik, https://bugs.webkit.org/show_bug.cgi?id=193907 is not in 12.2 or 12.3, so we don't have the change there to track and remove unvisited nodes in ScrollingTree::commitTreeState.) 361794 2019-02-12 06:55:42 -0800 2019-02-12 08:22:24 -0800 patch scrollingtree-nodemap-remove.patch text/plain 1338 koivisto SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDI0MTI5MykKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDE5LTAyLTEyICBBbnR0aSBL b2l2aXN0byAgPGFudHRpQGFwcGxlLmNvbT4KKworICAgICAgICBDcmFzaCBpbiBXZWJDb3JlOjpT Y3JvbGxpbmdUcmVlOjp1cGRhdGVUcmVlRnJvbVN0YXRlTm9kZQorICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTk0NTM4CisgICAgICAgIDxyZGFyOi8vcHJv YmxlbS80Nzg0MTkyNj4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICAqIHBhZ2Uvc2Nyb2xsaW5nL1Njcm9sbGluZ1RyZWUuY3BwOgorICAgICAgICAoV2Vi Q29yZTo6U2Nyb2xsaW5nVHJlZTo6dXBkYXRlVHJlZUZyb21TdGF0ZU5vZGUpOgorCisgICAgICAg IE1ha2Ugc3VyZSB3ZSBkb24ndCBsZWF2ZSBub2RlIGVudHJ5IGJlaGluZCBpbiBtX25vZGVNYXAg aW4gY2FzZSB3ZSBmYWlsZWQgdG8gYWRkIGl0IHRvIHRoZSBwYXJlbnQuCisKIDIwMTktMDItMTIg IFJvYiBCdWlzICA8cmJ1aXNAaWdhbGlhLmNvbT4KIAogICAgICAgICBJbXBsZW1lbnQgc2VyaWFs aXppbmcgaW4gTUlNRSB0eXBlIHBhcnNlcgpJbmRleDogU291cmNlL1dlYkNvcmUvcGFnZS9zY3Jv bGxpbmcvU2Nyb2xsaW5nVHJlZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUvcGFn ZS9zY3JvbGxpbmcvU2Nyb2xsaW5nVHJlZS5jcHAJKHJldmlzaW9uIDI0MTI5MykKKysrIFNvdXJj ZS9XZWJDb3JlL3BhZ2Uvc2Nyb2xsaW5nL1Njcm9sbGluZ1RyZWUuY3BwCSh3b3JraW5nIGNvcHkp CkBAIC0yMjksNiArMjI5LDkgQEAgdm9pZCBTY3JvbGxpbmdUcmVlOjp1cGRhdGVUcmVlRnJvbVN0 YXRlTgogICAgICAgICAgICAgYXV0byogcGFyZW50ID0gcGFyZW50SXQtPnZhbHVlOwogICAgICAg ICAgICAgbm9kZS0+c2V0UGFyZW50KHBhcmVudCk7CiAgICAgICAgICAgICBwYXJlbnQtPmFwcGVu ZENoaWxkKCpub2RlKTsKKyAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgIC8vIEZJWE1FOiBV c2UgV2Vha1B0ciBpbiBtX25vZGVNYXAuCisgICAgICAgICAgICBtX25vZGVNYXAucmVtb3ZlKG5v ZGVJRCk7CiAgICAgICAgIH0KICAgICB9CiAK